https://httpoxy.org/
It is possible to set the HTTP_PROXY in CGI scripts by passing the Proxy header. If the script is a Python script and downloads files, urllib will happily use the attacker-supplied proxy to make requests.
This should be mitigated like it is in Perl (since 2001), Ruby, and libraries like curl.
See also: bug against python-requests https://github.com/kennethreitz/requests/issues/3422